Microsoft has released Security Updates (SUs) for vulnerabilities found in:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
SUs are available in a self-extracting auto-elevating .exe package, as well as the original update packages (.msp files), which can be downloaded from the Microsoft Update Catalog.
SUs are available for the following specific versions of Exchange Server:
- Exchange Server 2013 CU23 (note that support and availability of SUs end on April 11, 2023)
- Exchange Server 2016 CU23
- Exchange Server 2019 CU11 and CU12
Note: Build availability issues have been resolved. If your server downloaded the February SU via Windows/ Microsoft update before February 15 8 AM Pacific time, you might see the February update be offered again. Installing the updated package will bring your server forward to current February builds (verify using Health Checker after installation). The Download Center .exe update packages were (and still are) correct.
The February 2023 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed in these SUs and do not need to take any action other than updating Exchange servers in their environment.
More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).
Update installation
The following update paths are available:
- Install the latest CU. Use the Exchange Update Wizard to choose your current CU and your target CU to get directions.
- Inventory your Exchange Servers to determine which updates are needed using the Exchange Server Health Checker script. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs, SUs, or manual actions).
- Re-run the Health Checker after you install an SU to see if any further actions are needed.
- If you encounter errors during or after installation of Exchange Server, run the SetupAssist script. If something does not work properly after updates, see Repair failed installations of Exchange Cumulative and Security updates.
Known issues with this release
- EWS web application pool stops after the February 2023 Security Update is installed - please note that to simplify the override application, we have now included instructions to apply a global override in case you see the EWS service crash.
- For some customers, who have non-default applications installed through ECP add-ins, the ECP add-ins page might be broken after February SU is installed. We will address this issue in a future update.
- Exchange Toolbox and Queue Viewer fails after Certificate Signing of PowerShell Serialization Payload is enabled (Note: this is an issue with the Certificate Signing of PowerShell Serialization Payload feature, not an issue with the security update.
Issues resolved in this release
- Version error when you install Exchange Server in RecoverServer mode – going forward, February 2023 and newer SUs will not cause this issue (but modifications made by the January 2023 SU might still require manual action during a server recovery operation, so the steps outlined in the article might still apply with later SUs installed)
- After the January 2023 SU is installed on Exchange 2016 or Exchange 2019, web page previews for URLs shared in OWA do not render properly
- Some Exchange services do not start automatically after installing January 2023 Security Update
- PowerShell Serialization Payload Signing can now be enabled if Exchange Server 2013 is in the organization
- This release unblocks customers who are not able to enable Extended Protection (EP) because they are using a Retention Policy with Retention Tags that perform Move-to-Archive actions. Note: if you worked around this problem using the updated Exchange Server Extended Protection script, you should roll back the applied IP restrictions after installing this SU by following the script documentation.
FAQs
Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing the February 2023 SU, you should re-run the Hybrid Configuration Wizard.
The last SU we installed is a few months old. Do we need to install all SUs in order, to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs in sequential order; simply install the latest SU. Please see this update FAQ blog post for more information.
Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install Security Updates on all Exchange Servers as well as servers or workstations running Exchange Management Tools only, which will ensure that there is no incompatibility between management tools clients and servers.
Updates to this post:
- 3/3/2023: Added the resolved issue for customers who were blocked from enabling Extended Protection and using archiving
- 3/2/2023: Added a known issue related to ECP add-ins page and non-default applications
- 2/17/2023: Linked to the new KB article talking about the EWS crash
- 2/16/2023: Clarification that we recommend that customers impacted by the EWS crash keep the February SU installed and implement the posted workaround
- 2/16/2023: Clarified the EWS crash workaround
- 2/16/2023: Added a known issue related to EWS crash and the workaround
- 2/15/2023: Updated the note about download availability; all update packages should now be correct.
- 2/15/2023: Added a note that there is a build availability problem; please use Download Center until this is resolved.
The Exchange Server Team
